Vulnerability Management
Information Security Standard

Post

Information Security Standards (ISS) are developed to support and enforce both District Administrative Regulations and the California Community College Information Security Standard.

I. Purpose and Scope

The objective of this Information Security Standard is to describe policies for secure operations of Long Beach Community College District’s (LBCCD) information and systems. The following topics are covered: 

  1. Virus Management
  2. Patches and Updates
  3. Software and Asset Management
  4. Backup and Media
  5. Third-Party Management
    5.1  Vendor Risk Management Procedure
    5.2 HIPAA Third-Party Agreements
    5.3 PCI Third-Party Agreements

This is one of a series of Information Security Standards maintained by the District Information Technology (IT) department designed to protect LBCCD information systems. 

1. Applicability of Assets

This Information Security Standard applies to all electronic assets that are owned or leased by LBCCD, including but not limited to: 

  • Desktop and Laptop Computers
  • Mobile Devices
  • Servers
  • Network Infrastructure

2. Applicability to all Employees and Volunteers

This Information Security Standard applies to all Board of Trustees authorized/ratified full-time and part-time regular Academic and Classified employees, Substitutes, Short-term (Temporary) staff, Professional Experts, College Work Study students, Student Help, and Volunteers who are employed in the LBCCD for the purpose of meeting the needs of students.

3. Applicability to External Parties

This Information Security Standard applies to all external parties, including but not limited to LBCCD business partners, vendors, suppliers, outsource service providers, and other third-party entities with access to LBCCD networks and system resources.

II. Vulnerability Management

1. Virus Management

All applicable systems must be configured with District IT-approved anti-virus software.  The software must be configured to scan for viruses in real-time.  Anti-virus programs must be capable of detecting, removing, and protecting against all known types of malicious software.

All systems with anti-virus software must be configured to update virus signatures on a daily basis.

End users must not be able to configure or disable the software.

All anti-virus mechanisms must generate audit logs to aid District IT and campus IT in detecting and responding to virus outbreaks. 

2. Patches and Updates

LBCCD must ensure that all system components and software are protected from known vulnerabilities by installing the latest vendor-supplied firmware, security patches, hotfixes, and service packs found to be applicable to LBCCD computing resources. Where feasible, patches must be tested in a test environment prior to production deployment.  Testing must ensure that systems function correctly.

Changes to servers and networks should be tested prior to implementation and follow normal change control management procedures.   

District IT and campus IT must be alert to identifying new security vulnerabilities by monitoring available vendor or industry security sources.  Hardening and configuration standards must be updated as soon as practical after new vulnerabilities are found.

District IT and campus IT system administrators must keep up with vendor changes and enhancements. Urgent patches that address security vulnerabilities must be installed as soon as feasible without introducing instability or impacting service availability.

Both FedRAMP and CISA list the following remediation timelines for their respective vulnerability classification.

  • Critical within 15 days
  • High within 30 days
  • Medium within 90 days
  • Low within 180 days

3. Software and Asset Management

Administrative Procedure 3720: Computer and Network Use sets forth usage policies for critical technologies that include e-mail usage and Internet usage and defines the proper use of these technologies.  District IT may also issue mobile devices (such as laptops or removable storage devices) and will maintain a list of issued devices and personnel with access to assist in determining the owner, contact information, and purpose.

District IT and campus IT will maintain a list of company-approved products and software.

4. Backup and Media

Users must store all critical files on the local area network or approved cloud-storage vendor so that they can be properly backed up.  If an end-user chooses to store essential data elsewhere, it must be approved by District IT management or campus IT management and the user is responsible for ensuring the data can be recovered. 

Any media containing backup data that is stored on-site must be classified so that operations personnel can determine the sensitivity of the data stored on tape or other formats.  Refer to the IT Data Classification Standard for the classification and handling of information.

Any backup media that must be transferred that contains restricted information must be sent by a secured courier or another delivery method that can be accurately tracked.  Management must approve all media that is moved from a secured area (especially when media is distributed to individuals).

Strict control must be maintained over the storage and accessibility of backup media.  Inventory logs of all media must be maintained and reviewed at least annually.

Media must be destroyed when it is no longer needed for business or legal reasons. Data retention requirements must be documented.

The District Disaster Recovery Standard outlines the strategy and basic procedures to enable the Long Beach Community College District (LBCCD) to withstand the prolonged unavailability of critical information and systems and provide for the recovery of District Information Technology Services (ITS) in the event of a disaster. 

5. Third-Party Management

A third-party user is a non-LBCCD employee or entity that is authorized to access LBCCD systems and networks.  Examples of third-party users include consultants, contractors, temporary employees, interns, vendors, business partners, service providers, and suppliers of products, services, or information. 

Network connections between the LBCCD environment and third parties must follow agreed-upon security procedures and/or confidentiality requirements. Such connections and other third-party access to LBCCD’s systems must be governed by formal written agreements or contracts. 

These agreements may require signed Confidentiality and Non-Disclosure statements restricting the subsequent usage and dissemination of LBCCD information. 

Vendors or other third parties with access to LBCCD-owned or leased equipment or systems housed in the LBCCD data center are restricted to only the specific equipment and systems they are authorized to maintain or monitor and are subject to District Access Control Standards.

5.1 Vendor Risk Management Procedure

Third-party systems often have direct access to institutional data, networks, and other information systems, thereby presenting an inherent risk to the District. The inclusion and consideration of information security controls is, therefore, an integral part of purchasing and maintaining new and existing third-party systems.

As a result, California community colleges are subject to several federal and state information-security mandates. One such requirement of the Gramm-Leach-Bliley Act (GLBA) is to comply with the FTC Safeguards Rule (16 CFR §314.4[d]), which states that institutions shall:

Oversee service providers, by:

  • Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
  • Requiring your service providers by contract to implement and maintain such safeguards.

The District IT Vendor Risk Assessment Procedure details the process for engaging service providers including proper due diligence prior to beginning the engagement.  A list of all third-party providers must be maintained.

5.2 HIPAA Third-Party Agreements

HIPAA regulations specify that formal written agreements must be established with each party (often considered a “business associate”) who will access protected health information (PHI). The parties must agree to protect the integrity and confidentiality of the information being exchanged, and the agreement would clearly define the responsibilities of both parties. 

  • LBCCD security policies and security mandates, including any fines and penalties that may be incurred for HIPPA or PCI non-compliance or lack of compliance with the regulations
  • Ownership and acceptable uses of PHI and other classified information
  • Requirements for business continuity by the third party, in the event of a major disruption, disaster, or failure
  • Audit provisions for LBCCD or LBCCD-approved entities in the event of a data compromise.  Provisions to ensure that LBCCD, or an LBCCD-approved auditor, will be provided with full cooperation and access to conduct a thorough security review after a security intrusion. The review will validate compliance with LBCCD standards and HIPAA regulators for protecting PHI and other LBCCD information.
  • Security of PHI and LBCCD information during third-party contract terminations or data transfers. 
5.3 PCI Third-Party Requirements

LBCCD information technology resources shall not be used to process, store, or transmit payment card data. To process online payment card transactions, Business Units are required to use vendors that are PCI DSS compliant and provide the District with the vendor’s official attestation of compliance.